esp*_*fee 1 sql coldfusion locking unlock sql-server-2008
我想知道在X次登录失败后如何以及锁定用户帐户的最佳方法是什么?我有表,我跟踪用户登录尝试失败.表存储时间戳,用户名,IP地址和浏览器类型.检测到错误的登录信息后,cfquery将根据用户名或IP地址从失败的登录表中提取记录.如果有5次或更多次无效尝试,我将帐户设置为非活动状态.现在我想以某种方式设置计时器,从上次无效尝试该用户开始计数5分钟.然后帐户应将状态更改为活动状态.这是我到目前为止的代码:
<cfquery name="checkUser" datasource="#dsn#">
SELECT UserName, Password, Salt, LockedUntil
FROM Users
WHERE UserName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(FORM.username)#" maxlength="50">
AND Active = 1
</cfquery>
<cfif len(checkUser.LockedUntil) AND dateCompare(now(), checkUser.LockedUntil,'n') EQ -1>
<cfset fnResults.status = "400">
<cfset fnResults.message = "This account is locked for 5 min.">
<cfreturn fnResults>
<cfabort>
</cfif>
<cfset storedPW = checkUser.Password>
<cfset enteredPW = FORM.password & checkUser.Salt>
<cfif checkUser.recordCount NEQ '1' OR (hash(enteredPW,"SHA-512") NEQ storedPW>
<cfquery name="logFail" datasource="#dsn#">
INSERT INTO FailedLogins(
LoginTime,
LoginUN,
LoginIP,
LoginBrowser
)VALUES(
CURRENT_TIMESTAMP,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.username#" maxlength="50">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#REMOTE_ADDR#" maxlength="20">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#CGI.HTTP_USER_AGENT#" maxlength="500">
)
</cfquery>
<!--- Pull failed logins based on username or IP address. --->
<cfquery name="failedAttempts" datasource="#dsn#">
SELECT LoginTime
FROM FailedLogins
WHERE LoginUN = <cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(FORM.username)#" maxlength="50">
OR LoginIP = <cfqueryparam cfsqltype="cf_sql_varchar" value="#REMOTE_ADDR#" maxlength="20">
</cfquery>
<cfif failedAttempts.recordcount LT 4>
<cfset fnResults.status = "400">
<cfset fnResults.message = "Invalid Username or Password!">
<cfelseif failedAttempts.recordcount EQ 4>
<cfset fnResults.status = "400">
<cfset fnResults.message = "This is your last attempt. If you fail to provide correct information account will be locked!">
<cfelseif failedAttempts.recordcount GTE 5>
<cfset lockUntil = DateAdd('n', 5, now())>
<cfquery name="blockUser" datasource="#dsn#">
UPDATE Users
SET LockedUntil = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#lockUntil#">
WHERE UserName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(FORM.username)#" maxlength="50">
</cfquery>
<cfset fnResults.status = "400">
<cfset fnResults.message = "This account is locked for 5 min.">
</cfif>
<cfelse>
//Clear failed login attempts
//Update lockedUntil field to NULL
//User logged in authentication successful!
</cfif>
帐户设置为非活动/锁定后,设置时间倒计时和更改标志状态的最佳方法是什么?我看到有些人推荐SQL Job,但我不确定作业应该多久运行以及如何创建该语句?如果有人可以提供一些例子,请告诉我.谢谢.
你可以做的是为checkUser查询添加一个条件:
<cfquery name="checkUser" datasource="#dsn#">
SELECT UserName, Password, Salt, Active
FROM Users u
WHERE UserName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(FORM.username)#" maxlength="50">
-- AND Active = 1
AND NOT EXISTS ( SELECT 1 FROM FailedLogins fl
WHERE fl.LoginUN = u.UserName
AND DATEDIFF('ss', fl.LoginTime, CURRENT_TIMESTAMP) >= 300 )
</cfquery>
我用过300秒而不是5几分钟DATEDIFF(),我相信,它会回归int.如果这不是SQL Server的理想语法(我不经常使用它),我会提前道歉.
然后,在上面,如果Active为零,则可以(假设密码正确)将其更新为值,1并删除与该帐户关联的失败登录或以某种方式将其标记为非活动,以便它们不计入5次失败的登录更多.
根据以下评论者的建议编辑查询:(好的建议,顺便说一下!)
<cfquery name="checkUser" datasource="#dsn#">
SELECT UserName, Password, Salt, Active
FROM Users u
WHERE UserName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(FORM.username)#" maxlength="50">
-- AND Active = 1
AND NOT EXISTS ( SELECT 1 FROM FailedLogins fl
WHERE fl.LoginUN = u.UserName
AND fl.loginTime < DATEADD(second, -300, CURRENT_TIMESTAMP) )
</cfquery>
| 归档时间: |
|
| 查看次数: |
411 次 |
| 最近记录: |